syzbot |
sign-in | mailing list | source | docs |
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready ================================================================== BUG: KASAN: use-after-free in selinux_socket_connect+0x48d/0x4b0 security/selinux/hooks.c:4232 Read of size 8 at addr ffff8800af6e2e78 by task syz-executor2/6597 CPU: 1 PID: 6597 Comm: syz-executor2 Not tainted 4.4.143-g7bbfac1 #13 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 acd81c9a5c3cfa98 ffff8800b04ffad8 ffffffff81e1002d ffffea0002bdb800 ffff8800af6e2e78 0000000000000000 ffff8800af6e2e78 ffff8800b04ffdc0 ffff8800b04ffb10 ffffffff81515ae6 ffff8800af6e2e78 Call Trace: [<ffffffff81e1002d>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81e1002d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [<ffffffff81515ae6>] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [<ffffffff81515e05>] kasan_report_error mm/kasan/report.c:351 [inline] [<ffffffff81515e05>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [<ffffffff814f98f4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [<ffffffff81c7082d>] selinux_socket_connect+0x48d/0x4b0 security/selinux/hooks.c:4232 [<ffffffff81c50e93>] security_socket_connect+0x83/0xc0 security/security.c:1216 [<ffffffff82f20a63>] SYSC_connect+0x103/0x300 net/socket.c:1553 [<ffffffff82f23454>] SyS_connect+0x24/0x30 net/socket.c:1538 [<ffffffff81006d96>] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline] [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:460 [<ffffffff838c66ea>] sysenter_flags_fixed+0xd/0x17 Allocated by task 6593: [<ffffffff81033c86>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814f89a3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814f8c87>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814f8c87>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [<ffffffff814f53a4>] __kmalloc+0x124/0x310 mm/slub.c:3613 [<ffffffff82f277c4>] kmalloc include/linux/slab.h:481 [inline] [<ffffffff82f277c4>] sk_prot_alloc+0x204/0x300 net/core/sock.c:1354 [<ffffffff82f2d19a>] sk_alloc+0x3a/0x3a0 net/core/sock.c:1419 [<ffffffff835a5c03>] pppol2tp_create+0x33/0x1f0 net/l2tp/l2tp_ppp.c:551 [<ffffffff828f3996>] pppox_create+0xf6/0x200 drivers/net/ppp/pppox.c:121 [<ffffffff82f22620>] __sock_create+0x2f0/0x5f0 net/socket.c:1177 [<ffffffff82f22b50>] sock_create net/socket.c:1217 [inline] [<ffffffff82f22b50>] SYSC_socket net/socket.c:1247 [inline] [<ffffffff82f22b50>] SyS_socket+0xf0/0x1b0 net/socket.c:1227 [<ffffffff81006d96>] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline] [<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:460 [<ffffffff838c66ea>] sysenter_flags_fixed+0xd/0x17 Freed by task 6597: [<ffffffff81033c86>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814f89a3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814f92d2>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814f92d2>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [<ffffffff814f67d4>] slab_free_hook mm/slub.c:1383 [inline] [<ffffffff814f67d4>] slab_free_freelist_hook mm/slub.c:1405 [inline] [<ffffffff814f67d4>] slab_free mm/slub.c:2859 [inline] [<ffffffff814f67d4>] kfree+0xf4/0x310 mm/slub.c:3749 [<ffffffff82f31647>] sk_prot_free net/core/sock.c:1391 [inline] [<ffffffff82f31647>] sk_destruct+0x407/0x4c0 net/core/sock.c:1472 [<ffffffff82f3174f>] __sk_free+0x4f/0x220 net/core/sock.c:1480 [<ffffffff82f31950>] sk_free+0x30/0x40 net/core/sock.c:1491 [<ffffffff835a91bf>] sock_put include/net/sock.h:1639 [inline] [<ffffffff835a91bf>] pppol2tp_session_sock_put+0x5f/0x70 net/l2tp/l2tp_ppp.c:286 [<ffffffff835a1a3c>] l2tp_tunnel_closeall+0x23c/0x350 net/l2tp/l2tp_core.c:1277 [<ffffffff835a25cb>] l2tp_udp_encap_destroy+0x8b/0xf0 net/l2tp/l2tp_core.c:1300 [<ffffffff83494781>] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1421 [<ffffffff82f319cd>] sk_common_release+0x6d/0x300 net/core/sock.c:2680 [<ffffffff83493435>] udp_lib_close+0x15/0x20 include/net/udp.h:190 [<ffffffff832fae9f>] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435 [<ffffffff8341db60>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:424 [<ffffffff82f1c0f6>] sock_release+0x96/0x1c0 net/socket.c:586 [<ffffffff82f1c236>] sock_close+0x16/0x20 net/socket.c:1037 [<ffffffff81522ed5>] __fput+0x235/0x6f0 fs/file_table.c:208 [<ffffffff81523415>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff8118bdbf>] task_work_run+0x10f/0x190 kernel/task_work.c:115 [<ffffffff8100362d>] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:253 [<ffffffff81007090>] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline] [<ffffffff81007090>] syscall_return_slowpath arch/x86/entry/common.c:349 [inline] [<ffffffff81007090>] do_syscall_32_irqs_on arch/x86/entry/common.c:399 [inline] [<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0 arch/x86/entry/common.c:460 [<ffffffff838c66ea>] sysenter_flags_fixed+0xd/0x17 The buggy address belongs to the object at ffff8800af6e2a80 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 1016 bytes inside of 2048-byte region [ffff8800af6e2a80, ffff8800af6e3280) The buggy address belongs to the page:
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/08/01 01:07 | https://android.googlesource.com/kernel/common android-4.4 | 7bbfac190345 | 1477993e | .config | console log | report | syz | ci-android-44-kasan-gce-386 | ||||
| 2018/03/29 22:26 | https://android.googlesource.com/kernel/common android-4.4 | 38f41ec1cb31 | d47f0ed6 | .config | console log | report | syz | ci-android-44-kasan-gce-386 | ||||
| 2018/08/03 12:51 | https://android.googlesource.com/kernel/common android-4.4 | 2241aa98c9aa | cc4f6d0a | .config | console log | report | ci-android-44-kasan-gce |